Phishing Scheme Uses Google Drive to Avoid Security: Report

A newly identified phishing campaign used Google Drive to help bypass some email security features as attackers attempted to target a company in the energy industry, security firm Cofense reported this week.

To better disguise this spear-phishing campaign, the attackers sent emails under the guise of the firm's CEO, which included the link to a Google Docs file as well as a fake login page, according to Cofense researchers.

The attackers used a tailored-made email that included the company logo, the CEO's name and a previously disseminated business message to make it appear even more authentic, according to the Cofense blog about the attack, which did not identify the company that was targeted.

And while the phishing emails were tailored to get employees to click so that credential-harvesting malware could be downloaded, it's the use of a Google Drive link that allowed the attackers to bypass the security features built into Microsoft Exchange because the link came from an authentic and recognized business service, according to the researchers.

An example of a phishing email with Google Drive link (Image: Cofense)

It appears the target company's email body inspection tool did not examine the message past the first link, which then allowed the email to be marked as non-malicious and passed on to employees along with the payload, the researchers note.

"By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular, Microsoft Exchange Online Protection, and make its way to the end user," says Aaron Riley, a Cofense researcher who examined the attack.

Bypassing Security Checks

Over the last several years, Google Drive has emerged as a popular means for attackers to disseminate mass phishing emails because of how difficult it is to block. This makes it easier for attackers to send malicious links within Google Drive, which fails to get detected by security filters, the Cofense researchers note.

And while the researchers recommend network content filtering appliances as a way to help thwart such attacks, the legitimacy granted to Google Drive as a business tool can still permit the phishing emails to pass through due to a failure of email content analysis.

"The legitimacy of Google Drive allows for these phishing campaigns to bypass an organization's email security stack, namely due to the shortcomings of the email content filtering's link analysis component," the researchers say.

The Phish

In the case that Cofense uncovered involving the energy firm, the employees who accessed the Google Drive documents were redirected to an external link with a fake login page, enabling the threat actors to steal their credentials.

The fake landing page was created on August 1, the report notes.

Due to the outdated nature of the message of the phishing email and the nonrelevance of that message to some of the recipients, however, Cofense researchers found that attackers were not successful in targeting a large number of employees.

It's not clear who the attackers behind this particular campaign are, or why the decided to specifically target this company, the researchers note.

A Growing Threat

These types of spear-phishing or email account takeover attacks are on the rise, with cybercriminals using compromised accounts to laterally send emails across an enterprise or even to outside vendors who do business with the victim company, according to new research from Barracuda Networks.

In the Barracuda report, which surveyed 100 businesses, the researchers found that one in seven experienced these types of lateral phishing attacks within the last seven months.

"Because attackers control a legitimate account in an email account takeover attack, they could mine the hijacked account's emails to craft custom and highly personalized messages," according to the Barracuda report.

Phishing attacks are being used against an array of targets, including those in the banking and credit card industry.

In July, Cofense disclosed a phishing campaign that used fake URLs to target American Express card users. The attackers sent a hyperlink as part of a phony account update to access the victims' credentials and other account details (see: Phishing Scheme Targets Amex Cardholders).

About the Author

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked at Analytics India Magazine, The New Indian Express and IDG, where she reported on developments in technology and education.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;